Despite increasingly stringent industry regulations a lot of health care organizations along with their business associates often fail to ensure integrity of sensitive information.
Security incidents are not only common but also have the highest per capita breach cost, more than any other industry according to the 2014 Cost of Data Breach Study: Global Analysis conducted by Ponemon Institute. One of the prime examples of data breach’s expensive consequences was that New York Presbyterian Hospital and Columbia University had a $4.8 million settlement in May 2014 for failing to secure the electronically protected health information of thousands of patients.
Industry regulations that establish requirements for IT security for health care providers are often diverse and confusing. Netwrix outlines three major steps that help meet compliance requirements and ensure security of IT infrastructure:
1. Establish effective security policies. Adopt comprehensive internal policy that will apply to all aspects of critical data security. Define roles and responsibilities of everyone dealing with sensitive information and limit access to sensitive data to people that need it to perform their duties. Develop detailed workflow that describes the process of security maintenance, as well as actions that should be taken in case a security incident occurs. Regularly revise these documents to keep them up-to-date with current legislation and technical and business objectives.
2. Make sure your employees maintain security. Distribute the security policies among all employees, no matter if they have access to sensitive data or not, and point out the responsibilities of every employee to follow the instructions. Organize end-user security training for personnel and regularly test their knowledge. Another way to make employees control their actions is to publish anonymized audit reports demonstrating that their activity is being watched.
3. Audit your IT infrastructure. Knowing about who did what, when and where will help track malicious user activity, e.g. unauthorized access or modifications that are made to sensitive data or system configuration as early as possible. Regular reporting on changes made across the entire IT infrastructure will help ensure security policies in place are actually working and pass both internal and external audits.
“Information technologies continue to improve and expand, providing countless opportunities to enhance health care services and communication between patients and health care providers. This, in turn, makes maintaining privacy and security of sensitive information one of the biggest challenges for IT departments,” said Michael Fimin, CEO and co-founder of Netwrix. “With numerous data breaches occurring, it is crucial for health care providers to have a complete visibility across the entire IT infrastructure, instantly detecting malicious activity or unauthorized access to sensitive data.”